Download Latest Version gogs_v0.14.3_linux_386.zip (40.1 MB)
Email in envelope

Get an email when there's a new version of Gogs

Home / v0.14.3
Name Modified Size InfoDownloads / Week
Parent folder
gogs_v0.14.3_linux_amd64.tar.gz 2026-06-07 41.3 MB
gogs_v0.14.3_linux_amd64.zip 2026-06-07 41.3 MB
gogs_v0.14.3_linux_arm64.tar.gz 2026-06-07 39.1 MB
gogs_v0.14.3_linux_386.tar.gz 2026-06-07 40.1 MB
gogs_v0.14.3_linux_386.zip 2026-06-07 40.1 MB
gogs_v0.14.3_linux_arm64.zip 2026-06-07 39.1 MB
gogs_v0.14.3_windows_amd64.zip 2026-06-07 41.7 MB
gogs_v0.14.3_windows_amd64_mws.zip 2026-06-07 41.8 MB
gogs_v0.14.3_darwin_amd64.zip 2026-06-07 42.5 MB
gogs_v0.14.3_darwin_arm64.zip 2026-06-07 41.2 MB
gogs_v0.14.3_windows_arm64.zip 2026-06-07 39.3 MB
gogs_v0.14.3_windows_386_mws.zip 2026-06-07 40.8 MB
gogs_v0.14.3_windows_386.zip 2026-06-07 40.8 MB
gogs_v0.14.3_windows_arm64_mws.zip 2026-06-07 39.3 MB
0.14.3 source code.tar.gz 2026-06-07 14.3 MB
0.14.3 source code.zip 2026-06-07 15.5 MB
README.md 2026-06-07 11.0 kB
Totals: 17 Items   598.2 MB 3

Fixed

  • Security: Reverse proxy authentication header was honored from any remote address, allowing user impersonation when Gogs was reachable directly. The header is now only trusted from addresses listed in [auth] TRUSTED_PROXY_IPS. #8264 - GHSA-w6j9-vw59-27wv
  • Security: Server-side request forgery in webhook deliveries via HTTP redirects to local network addresses. #8263 - GHSA-c4v7-xg93-qf8g
  • Security: Denial of service when rendering issue references against a malformed external issue tracker URL format. #8312 - GHSA-4j89-2c4f-44c6
  • Security: Stored XSS in Jupyter notebook (.ipynb) preview through Markdown links with javascript: URLs. #8319 - GHSA-jq8v-rmf6-65jw
  • Security: Missing authorization check on the attachment download endpoint allowed anyone who knew (or guessed) an attachment UUID to download files belonging to private repositories. #8320 - GHSA-p9f5-h3rx-j5qw
  • Security: Organization team and member management actions accepted GET requests, allowing a logged-in owner to be tricked into adding an attacker to the Owners team via a crafted link. #8321 - GHSA-pwx3-qcgw-vh7h
  • Security: SSRF via mirror address update bypassing clone address validation. #8225 - GHSA-wv27-2vqp-j7g5
  • Security: Open redirect on login and other post-action flows via the redirect_to query parameter. #8322 - GHSA-xxhq-69mf-w8cr
  • Security: Privilege escalation to repository owner via collaboration access mode update. #8227 - GHSA-4565-r4x7-hg8j
  • Security: SSRF in repository migration and recurring mirror sync via HTTP redirects and stale host validation on stored mirror URLs. #8324 - GHSA-g2f5-gjr4-qjvm
  • Security: Remote command execution via pull request rebase merges with crafted branch names. #8301 - GHSA-qf6p-p7ww-cwr9
  • Security: Stored XSS in the milestone dropdown on the new issue page via crafted milestone names. #8325 - GHSA-vcm5-gvmp-78mp
  • Security: Stored XSS in Jupyter notebook (.ipynb) preview through data:text/html URIs that bypassed the sanitizer. #8326 - GHSA-3w28-36p9-w929
  • Security: Write-level collaborators could change admin-only repository settings (issue tracker, wiki, mirror sync) via API. #8327 - GHSA-268j-37xf-pp52
  • Security: Password reset tokens stayed valid for the account-activation lifetime, ignoring [auth] RESET_PASSWORD_CODE_LIVES. #8328 - GHSA-5c3f-6486-3g7g
  • Security: Stored XSS in Jupyter notebook (.ipynb) preview through raw HTML in markdown cells. #8330 - GHSA-6vxv-wg6j-5qwp
  • Security: Read-only Git HTTP access could be confused with write access during repository pushes. #8331 - GHSA-wmfg-5p4h-5fw3
  • Security: Arbitrary file write outside the repository working tree via crafted upload filename routed through a committed directory symlink. #8332 - GHSA-89mr-xqfv-758m
  • Security: Cross-repository disclosure of Git LFS object contents by binding a known OID to another repository without proving possession of the bytes. #8333 - GHSA-6p9m-q3jp-47h4
  • Security: Remote code execution via path traversal in organization names accepted through the API. #8334 - GHSA-c39w-43gm-34h5
  • Security: Stalled SSH handshakes pinned a file descriptor and goroutine indefinitely. The built-in SSH server now drops connections that do not complete the handshake within 15 seconds. #8335 - GHSA-xp79-5mx3-jx52
  • Security: Organization metadata and team list endpoints were reachable without authentication. #8336 - GHSA-744x-3838-5r56
Previous patch releases ## 0.14.2 ### Fixed - _Security:_ Denial of service in repository and wiki file listing pages via crafted file names. [#8116](https://github.com/gogs/gogs/pull/8116) - [GHSA-3qq3-668m-v9mj](https://github.com/gogs/gogs/security/advisories/GHSA-3qq3-668m-v9mj) - _Security:_ Cross-repository LFS object overwrite via missing content hash verification. [#8166](https://github.com/gogs/gogs/pull/8166) - [GHSA-gmf8-978x-2fg2](https://github.com/gogs/gogs/security/advisories/GHSA-gmf8-978x-2fg2) - _Security:_ Stored XSS via data URI in issue comments. [#8174](https://github.com/gogs/gogs/pull/8174) - [GHSA-xrcr-gmf5-2r8j](https://github.com/gogs/gogs/security/advisories/GHSA-xrcr-gmf5-2r8j) - _Security:_ Release tag option injection in release deletion. [#8175](https://github.com/gogs/gogs/pull/8175) - [GHSA-v9vm-r24h-6rqm](https://github.com/gogs/gogs/security/advisories/GHSA-v9vm-r24h-6rqm) - _Security:_ Stored XSS in branch and wiki views through author and committer names. [#8176](https://github.com/gogs/gogs/pull/8176) - [GHSA-vgvf-m4fw-938j](https://github.com/gogs/gogs/security/advisories/GHSA-vgvf-m4fw-938j) - _Security:_ DOM-based XSS via issue meta selection on the issue page. [#8178](https://github.com/gogs/gogs/pull/8178) - [GHSA-vgjm-2cpf-4g7c](https://github.com/gogs/gogs/security/advisories/GHSA-vgjm-2cpf-4g7c) - Unable to update files via web editor and API. [#8184](https://github.com/gogs/gogs/pull/8184) ### Removed - Support for passing API access tokens via URL query parameters (`token`, `access_token`). Use the `Authorization` header instead. [#8177](https://github.com/gogs/gogs/pull/8177) - [GHSA-x9p5-w45c-7ffc](https://github.com/gogs/gogs/security/advisories/GHSA-x9p5-w45c-7ffc) ## 0.14.1 ### Added - Support comparing tags in addition to branches. [#6141](https://github.com/gogs/gogs/issues/6141) - Show file name in browser tab title when viewing files. [#5896](https://github.com/gogs/gogs/pull/5896) - Support using TLS for Redis session provider using `[session] PROVIDER_CONFIG = ...,tls=true`. [#7860](https://github.com/gogs/gogs/pull/7860) - Support expanading values in `app.ini` from environment variables, e.g. `[database] PASSWORD = ${DATABASE_PASSWORD}`. [#8057](https://github.com/gogs/gogs/pull/8057) - Support custom logout URL that users get redirected to after sign out using `[auth] CUSTOM_LOGOUT_URL`. [#8089](https://github.com/gogs/gogs/pull/8089) - Start publishing next-generation, security-focused Docker image via `gogs/gogs:next-latest`, which will become the default image distribution (`gogs/gogs:latest`) starting 0.16.0. While not all container options support have been added in the next-generation image, the use of current legacy Docker image is deprecated, it will be published as `gogs/gogs:legacy-latest` starting 0.16.0, and be completely removed no earlier than 0.17.0. [#8061](https://github.com/gogs/gogs/pull/8061) ### Changed - The required Go version to compile source code changed to 1.25. - The build tag `cert` has been removed, and the `gogs cert` subcommand is now always available. [#7883](https://github.com/gogs/gogs/pull/7883) - Switched to pure-Go SQLite driver, CGO is no longer required to compile Gogs. [#7882](https://github.com/gogs/gogs/issues/7882) - Updated Mermaid JS to 11.9.0. [#8009](https://github.com/gogs/gogs/pull/8009) - Halt the repository creation and leave the directory untouched if the repository root already exists. [#8091](https://github.com/gogs/gogs/pull/8091) ### Fixed - _Security:_ Unauthenticated file upload. [#8128](https://github.com/gogs/gogs/pull/8128) - [GHSA-fc3h-92p8-h36f](https://github.com/gogs/gogs/security/advisories/GHSA-fc3h-92p8-h36f) - _Security:_ Protected branch bypass in web UI. [#8124](https://github.com/gogs/gogs/pull/8124) - [GHSA-2c6v-8r3v-gh6p](https://github.com/gogs/gogs/security/advisories/GHSA-2c6v-8r3v-gh6p) - _Security:_ Authorization bypass allows cross-repository label modification. [#8123](https://github.com/gogs/gogs/pull/8123) - [GHSA-cv22-72px-f4gh](https://github.com/gogs/gogs/security/advisories/GHSA-cv22-72px-f4gh) - _Security:_ Cross-repository comment deletion. [#8119](https://github.com/gogs/gogs/pull/8119) - [GHSA-jj5m-h57j-5gv7](https://github.com/gogs/gogs/security/advisories/GHSA-jj5m-h57j-5gv7) - 500 error on repository watchers and stargazers pages when using MSSQL. [#5482](https://github.com/gogs/gogs/issues/5482) - Submodules using `ssh://` protocol and a port number are not rendered correctly. [#4941](https://github.com/gogs/gogs/issues/4941) - Missing link to user profile on the first commit in commits history page. [#7404](https://github.com/gogs/gogs/issues/7404) - Unable to delete or display files with special characters in their names. [#7596](https://github.com/gogs/gogs/issues/7596) - Docker healthcheck fails when `HTTP_PROXY` or `HTTPS_PROXY` environment variables are set. [#7529](https://github.com/gogs/gogs/issues/7529)
Source: README.md, updated 2026-06-07